MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8401c053dfd509441c73c2d06619fbeff3794da4c86b59f4f7de80db539e062f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8401c053dfd509441c73c2d06619fbeff3794da4c86b59f4f7de80db539e062f
SHA3-384 hash: fe60c3c95e4e88bc428f5ca368a3f5c91435128b80aef6fe5bbe698b4a37208445627fb6e21052f18d9ff849f546500c
SHA1 hash: ec26ebe03fe48704736124fcaf926f969d63d685
MD5 hash: 3fb4490c63991e8f6a6a7e80fe89fe05
humanhash: fruit-black-july-music
File name:UPDATED SOA (2).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:487'424 bytes
First seen:2022-11-24 08:31:19 UTC
Last seen:2022-11-28 14:16:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:217zyjKffmvAVrHp0EB/WXCjRJG+LbB/tk8+eM3pDR1:IzyjKffm4pHpzB/7XlLbLae
Threatray 650 similar samples on MalwareBazaar
TLSH T164A4CF187203AB4EC7CD63F11ADC32ED66D2969C2F60FF91E65A1D6B90916039782DCC
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UPDATED SOA (2).exe
Verdict:
No threats detected
Analysis date:
2022-11-24 08:34:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75a066bc-e631-4eab-a39a-fe2d6403299c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337974/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1687.8806.1392.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637f2c0500c584752ee1b160/reports/57f3e51d-91b4-4118-9986-dddbf5993db4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7057fd8-5f5d-4335-892e-c32fb0480685
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120369
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8401c053dfd509441c73c2d06619fbeff3794da4c86b59f4f7de80db539e062f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 02:09:29 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqa4au672ueuihdtyligmgp357zxstnezbvvt5hx32anwu46ayxq._file
Verdict:
malicious
Similar samples:
17781abe73e2c5aca6d20dd339a34f223a4dcb2de58bda4fa6679fdb83a5688e
AgentTesla
3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f
AgentTesla
66242b095b2cfb53b52d1743a42aaa9fd94c6b53f58869c4b1c9d893a541e3a6
AgentTesla
803ce3a81dac97819000978aa8798f1d2464e12785d1625aa5ee01d0589ec8a2
AgentTesla
b5b8524f2b24683dbeb07c9af2ddc8175a7a7b8925fd2db5f9776be568c2135e
AgentTesla
cacae6414253adb53f45fdde77f42642cd773f2eb6061c2dbc9a2abbf095b90a
AgentTesla
db9bb4ecdc01a72d728f9fc7e522848ba7afe64bfa27516f0505a179db2f7345
AgentTesla
e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3
AgentTesla
f194cc1d2476f819084e0612933173c0a8302453d32f77331e39a5d96ef5e46f
AgentTesla
+ 640 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221124-kfas4see2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fec998bc-71b6-48e1-be41-f1efcc3fdb18
Unpacked files
SH256 hash:
8401c053dfd509441c73c2d06619fbeff3794da4c86b59f4f7de80db539e062f
MD5 hash:
3fb4490c63991e8f6a6a7e80fe89fe05
SHA1 hash:
ec26ebe03fe48704736124fcaf926f969d63d685
Link:
https://www.unpac.me/results/a8527f64-54de-47f0-92d7-b24a46431fc7/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8401c053dfd5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8401c053dfd509441c73c2d06619fbeff3794da4c86b59f4f7de80db539e062f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8401c053dfd509441c73c2d06619fbeff3794da4c86b59f4f7de80db539e062f

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/337974/

Comments